A new risk has developed in the data privacy and security environment—one that is reflected in the difference between data ownership and data stewardship.

A fundamental change is in store:
Companies and data aggregators will soon need to make a shift from thinking that
they are owners of captured personally identifiable information (PII) data to viewing
themselves as custodians of that data. Therefore, companies will have to revise
their operations and security to avoid adverse business and legal consequences.

Data aggregation is essential for
modern business practice. Every organization needs to track contact information
to fulfill its business model.

The law and the force majeure (a clause in contracts that removes liability for
unavoidable natural catastrophes) give rights of ownership for data and the
structures of its retention to the aggregator. In other words, the company that
collects data on its customers currently owns that data and generally values it
highly, since it is the lifeblood of its customer base. Proprietary data also
includes designs, specifications and traditional intellectual
property.

As
the organizational workflow has become automated—overlaid onto a company’s communications
activities and posted to the Internet—operational workflow, embodied by the
software, apps and the way of doing business, has
become part of this data privacy and security legacy. Companies have battled in
court when salespeople, key personnel or technical
insiders hop jobs and carry this valuable information with them (illegally) to
the new job.

Though this is a concern, a new risk
has developed in the evolving data privacy and security milieu—one that is
reflected in the difference between data ownership and data stewardship.

Even if you are not yet aware of this
issue, you’re likely to have it heaped on your plate within a few
years. It’s a function of adverse events, the type of business you run and the
density of the personally identifiable information within your databases. The
more personal details you capture to describe each person in those databases,
the more your organization is at risk for legal or public relations exposures.

This data is likely to include a
customer’s personal likes and dislikes. More alarmingly, it is likely to
include the columns of information not yet included in the safe-harbor
categories of PII that can be combined—either internally or with external free,
public
or commercial databases—to reveal a person’s identity. See www.ftc.gov/os/comments/privacyreportframework/00191-57181.pdf
for background and a technical description of this risk.

Even when operations that use PII seem
isolated from the Internet or are fragmented in steps that lack workflow
integration, the infiltration of smartphones, tablets and end-to-end
connectivity for data flow and processes puts the bulk of this information at
risk for exposure. Companies from Heartland, T.J. Maxx, Sony, universities
and even our government have found themselves explaining that they didn’t mean
to be the source of a breach.

This points out the discrepancy
between who actually owns—or should own—the private data and who is just the
responsible steward of the data. Privacy is the same as security,
except that security occurs with the ownership role, while privacy emphasizes
the stewardship.

What is the difference between the two
roles? Data ownership means unqualified rights to granular intellectual
property and PII data. Stewardship, on the other hand, is a standard of care
for tangible fixed, depreciable or amortizable assets that include data
records, documents, intellectual property and other intangibles.

Richard Santalesa, senior counsel in the
Information Law Group's East Coast office, reinforces some of these assertions
with his own view of the environment. Primarily, his work relates to security
and privacy issues when they breach explicit or implied contracts. He says that “Organizations are simply not
keeping pace with the rate of change,” referring to legal enforcement as well
as technological matters. “We tend to be reactive rather than proactive.”

A
National Policy of Privacy

The
push is on for a national policy of privacy by design, a structure for
operational privacy based on current understanding, and the so-called right-to-forget
information in databases after some arbitrary elapsed period of time. This push
is represented by a number of Congressional bills for a national data-breach
law and do-not-track laws.

However, these efforts are dying in committees,
suppressed by the efforts of data aggregators that use paid lobbyists. The lack
of legislation does not diminish the need for the judiciary to reinterpret
these issues, while making case law and raising the concerns to the forefront.

Although these matters are not covered
by legislation or existing law, privacy proposals from nonlegislative bodies
are altering the environment. While the National
Institute of Standards and Technology’s draft recommendations do not
have the force of law in most venues, the Federal Communications Commission and
the Federal Trade Commission are enforcing them as a law of operational
security. Primarily, this consists of pushing the obligation of privacy and
data security to the companies accumulating the PII data.

These commissions are slowly allowing
tangible damages in the event of breaches through innovative claims filed by
hurt parties. Companies are on notice that they should employ defensible
actions as part of their common law duties. Santalesa also notes a growth in
actions for tort damages. This should be a wake-up call for organizations to
adapt to this privacy and security evolution proactively, not as an immediate
hot button, but rather as an evolving risk
factor.

All U.S. legislative and enforcement efforts lag the activity
taking place in the European Union, primarily in Germany. This points to a
trend that will ultimately erode how organizations that profit from data
aggregation (such as data obtained from Web-based sales) can no longer ignore
the fallout from leaks, breaches, thefts and insiders
walking away with privileged data.

While this is not a crisis now, it does
show a clear trend toward putting the rights of individuals to their own PII
above the rights of data aggregators. Failure to protect this data will become
a more actionable civil, and potentially even criminal, consequence for
companies that fail to adapt and take measures to protect losses.

This goes beyond public relations
fiascos and shows that now is the time to consider adapting to the evolving
data privacy and security milieu in easy steps. Doing this will allow companies
to proactively catch up and ultimately get ahead of the
rapid changes taking place.

Important touch points include Website
operators and online merchants that are exchanging PII obtained under a
contract of care that try to sidestep Website limitations and data-retention
time frames.
The relevant point is that breaches cause erosion of customer loyalty,
litigation, complications under policies in other countries and adverse
findings under torts.

In evolving case law, ownership of PII
is reverting to individuals under the stewardship of the data integrators.
Ownership remains in question for the foreseeable future, but the standard of
care and migration to stewardship is clearly the wave of the future.

Martin Nemzow troubleshoots broken businesses, and was a
data security executive consulting with military commands, intelligence
agencies, and prime contractors and integrators. Before that, he was an
executive at Fortune 500 companies, a consultant and a principal in numerous
high-tech startups. Martin can be reached at mnemzo@gmail.com.